From ccdedaa243545791168714823b60941041986389 Mon Sep 17 00:00:00 2001
From: yasahi-hpc <57478230+yasahi-hpc@users.noreply.github.com>
Date: Mon, 27 Jan 2025 15:10:52 +0100
Subject: [PATCH] Simplify CMake installation in Dockerfiles (#222)

* simplify Dockerfile for clang CI

* Use correct public key to verify CMake binary signature

* [skip ci] Add documentation

* Add example of CMake release URL in CONTRIBUTING.md

* Add missing licenses

* merge CONTIRUBINT.md into README.md under docker

* add package write permission in CI

---------

Co-authored-by: Yuuichi Asahi <y.asahi@nr.titech.ac.jp>
Co-authored-by: Paul Zehner <paul.zehner@cea.fr>
---
 .github/workflows/__build_base.yaml   |  3 +++
 .github/workflows/build_test.yaml     |  3 +++
 .github/workflows/pre_build_base.yaml |  4 ++++
 docker/README.md                      | 27 +++++++++++++++++++++++++++
 docker/clang/Dockerfile               | 25 ++++++++++++-------------
 docker/gcc/Dockerfile                 | 25 ++++++++++++-------------
 docker/intel/Dockerfile               | 25 ++++++++++++-------------
 docker/nvcc/Dockerfile                | 25 ++++++++++++-------------
 docker/rocm/Dockerfile                | 25 ++++++++++++-------------
 9 files changed, 97 insertions(+), 65 deletions(-)
 create mode 100644 docker/README.md

diff --git a/.github/workflows/__build_base.yaml b/.github/workflows/__build_base.yaml
index f72234d5..f5b65679 100644
--- a/.github/workflows/__build_base.yaml
+++ b/.github/workflows/__build_base.yaml
@@ -31,6 +31,9 @@ env:
 jobs:
   build_base:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     strategy:
       matrix:
diff --git a/.github/workflows/build_test.yaml b/.github/workflows/build_test.yaml
index d3fbed1e..3e1521e5 100644
--- a/.github/workflows/build_test.yaml
+++ b/.github/workflows/build_test.yaml
@@ -44,6 +44,9 @@ jobs:
     if: ${{ needs.check_docker_files.outputs.docker_files_have_changed == 'true' }}
 
     uses: ./.github/workflows/__build_base.yaml
+    permissions:
+      contents: read
+      packages: write
 
     with:
       image_suffix: ${{ needs.check_docker_files.outputs.image_suffix }}
diff --git a/.github/workflows/pre_build_base.yaml b/.github/workflows/pre_build_base.yaml
index ad9b1cea..3b26f684 100644
--- a/.github/workflows/pre_build_base.yaml
+++ b/.github/workflows/pre_build_base.yaml
@@ -27,6 +27,10 @@ jobs:
   build_base:
     needs: check_docker_files
 
+    permissions:
+      contents: read
+      packages: write
+
     # run inconditionnaly on schedule or manual mode or if Docker files changed on other modes
     if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || needs.check_docker_files.outputs.docker_files_have_changed == 'true' }}
 
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 00000000..80b7564a
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,27 @@
+<!--
+SPDX-FileCopyrightText: (C) The kokkos-fft development team, see COPYRIGHT.md file
+
+SPDX-License-Identifier: MIT OR Apache-2.0 WITH LLVM-exception
+-->
+
+# Dockerfiles
+
+Those Dockerfiles are mainly used for CI.
+Each backend/compiler has a corresponding Dockerfile.
+
+# Contributing
+
+## CMake installation in Dockerfiles
+
+As the project requires CMake v3.23 at least, and as some Dockerfiles are based on Ubuntu 20.04 images, CMake has to be installed manually.
+The installer is downloaded, its signature is verified, then its checksum is verified.
+To check the signature, the public key of the person who signed the binary is required.
+This public key can be extracted from the key ID.
+
+When updating the Dockerfiles for a newer version of CMake (if needed), the process to get the right public key is as follows:
+
+1. Identify the release on GitHub (e.g. https://github.com/Kitware/CMake/releases/tag/v3.23.2);
+2. Copy the key ID in the line "PGP sign by XXXXXXXX";
+3. Paste it in `https://keys.openpgp.org/` to retrieve the URL of the public key file;
+4. Copy the last part in the URL `https://keys.openpgp.org/vks/v1/by-fingerprint/YYYYYYYY`;
+5. Update the Dockrfiles with this value.
\ No newline at end of file
diff --git a/docker/clang/Dockerfile b/docker/clang/Dockerfile
index fd6f9569..08d2c595 100644
--- a/docker/clang/Dockerfile
+++ b/docker/clang/Dockerfile
@@ -35,27 +35,26 @@ RUN apt-get update && apt-get install -y \
     clang-tidy-19 \
     && rm -rf /var/lib/apt/lists/*
 
-RUN KEYDUMP_URL=https://cloud.cees.ornl.gov/download && \
-    KEYDUMP_FILE=keydump && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE} && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE}.sig && \
-    gpg --import ${KEYDUMP_FILE} && \
-    gpg --verify ${KEYDUMP_FILE}.sig ${KEYDUMP_FILE} && \
-    rm ${KEYDUMP_FILE}*
-
+# Install newer CMake manually
 ARG CMAKE_VERSION=3.23.2
+
 ENV CMAKE_DIR=/opt/cmake
 RUN CMAKE_URL=https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION} && \
-    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-Linux-x86_64.sh && \
+    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-linux-x86_64.sh && \
     CMAKE_SHA256=cmake-${CMAKE_VERSION}-SHA-256.txt && \
+    CMAKE_SIGNATURE=cmake-${CMAKE_VERSION}-SHA-256.txt.asc && \
+    PUBLIC_KEY_ID=CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA && \
+    PUBLIC_KEY_URL=https://keys.openpgp.org/vks/v1/by-fingerprint/${PUBLIC_KEY_ID} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SHA256} && \
-    wget --quiet ${CMAKE_URL}/${CMAKE_SHA256}.asc && \
+    wget --quiet ${CMAKE_URL}/${CMAKE_SIGNATURE} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SCRIPT} && \
-    gpg --verify ${CMAKE_SHA256}.asc ${CMAKE_SHA256} && \
-    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sed -e s/linux/Linux/ | sha256sum --check && \
+    wget --quiet ${PUBLIC_KEY_URL} && \
+    gpg --import ${PUBLIC_KEY_ID} && \
+    gpg --verify ${CMAKE_SIGNATURE} ${CMAKE_SHA256} && \
+    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sha256sum --check && \
     mkdir -p ${CMAKE_DIR} && \
     sh ${CMAKE_SCRIPT} --skip-license --prefix=${CMAKE_DIR} && \
-    rm cmake*
+    rm cmake* ${PUBLIC_KEY_ID}
 ENV PATH=${CMAKE_DIR}/bin:$PATH
 
 # Set Clang 19 as the default Clang and Clang++
diff --git a/docker/gcc/Dockerfile b/docker/gcc/Dockerfile
index 12084bda..a219438e 100644
--- a/docker/gcc/Dockerfile
+++ b/docker/gcc/Dockerfile
@@ -21,27 +21,26 @@ ENV FFTWDIR "/usr"
 
 RUN git config --global --add safe.directory "*"
 
-RUN KEYDUMP_URL=https://cloud.cees.ornl.gov/download && \
-    KEYDUMP_FILE=keydump && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE} && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE}.sig && \
-    gpg --import ${KEYDUMP_FILE} && \
-    gpg --verify ${KEYDUMP_FILE}.sig ${KEYDUMP_FILE} && \
-    rm ${KEYDUMP_FILE}*
-
+# Install newer CMake manually
 ARG CMAKE_VERSION=3.23.2
+
 ENV CMAKE_DIR=/opt/cmake
 RUN CMAKE_URL=https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION} && \
-    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-Linux-x86_64.sh && \
+    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-linux-x86_64.sh && \
     CMAKE_SHA256=cmake-${CMAKE_VERSION}-SHA-256.txt && \
+    CMAKE_SIGNATURE=cmake-${CMAKE_VERSION}-SHA-256.txt.asc && \
+    PUBLIC_KEY_ID=CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA && \
+    PUBLIC_KEY_URL=https://keys.openpgp.org/vks/v1/by-fingerprint/${PUBLIC_KEY_ID} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SHA256} && \
-    wget --quiet ${CMAKE_URL}/${CMAKE_SHA256}.asc && \
+    wget --quiet ${CMAKE_URL}/${CMAKE_SIGNATURE} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SCRIPT} && \
-    gpg --verify ${CMAKE_SHA256}.asc ${CMAKE_SHA256} && \
-    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sed -e s/linux/Linux/ | sha256sum --check && \
+    wget --quiet ${PUBLIC_KEY_URL} && \
+    gpg --import ${PUBLIC_KEY_ID} && \
+    gpg --verify ${CMAKE_SIGNATURE} ${CMAKE_SHA256} && \
+    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sha256sum --check && \
     mkdir -p ${CMAKE_DIR} && \
     sh ${CMAKE_SCRIPT} --skip-license --prefix=${CMAKE_DIR} && \
-    rm cmake*
+    rm cmake* ${PUBLIC_KEY_ID}
 ENV PATH=${CMAKE_DIR}/bin:$PATH
 
 WORKDIR /work
diff --git a/docker/intel/Dockerfile b/docker/intel/Dockerfile
index 2275e20d..b2f9b498 100644
--- a/docker/intel/Dockerfile
+++ b/docker/intel/Dockerfile
@@ -22,27 +22,26 @@ ENV FFTWDIR "/usr"
 
 RUN git config --global --add safe.directory "*"
 
-RUN KEYDUMP_URL=https://cloud.cees.ornl.gov/download && \
-    KEYDUMP_FILE=keydump && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE} && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE}.sig && \
-    gpg --import ${KEYDUMP_FILE} && \
-    gpg --verify ${KEYDUMP_FILE}.sig ${KEYDUMP_FILE} && \
-    rm ${KEYDUMP_FILE}*
-
+# Install newer CMake manually
 ARG CMAKE_VERSION=3.25.2
+
 ENV CMAKE_DIR=/opt/cmake
 RUN CMAKE_URL=https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION} && \
-    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-Linux-x86_64.sh && \
+    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-linux-x86_64.sh && \
     CMAKE_SHA256=cmake-${CMAKE_VERSION}-SHA-256.txt && \
+    CMAKE_SIGNATURE=cmake-${CMAKE_VERSION}-SHA-256.txt.asc && \
+    PUBLIC_KEY_ID=CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA && \
+    PUBLIC_KEY_URL=https://keys.openpgp.org/vks/v1/by-fingerprint/${PUBLIC_KEY_ID} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SHA256} && \
-    wget --quiet ${CMAKE_URL}/${CMAKE_SHA256}.asc && \
+    wget --quiet ${CMAKE_URL}/${CMAKE_SIGNATURE} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SCRIPT} && \
-    gpg --verify ${CMAKE_SHA256}.asc ${CMAKE_SHA256} && \
-    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sed -e s/linux/Linux/ | sha256sum --check && \
+    wget --quiet ${PUBLIC_KEY_URL} && \
+    gpg --import ${PUBLIC_KEY_ID} && \
+    gpg --verify ${CMAKE_SIGNATURE} ${CMAKE_SHA256} && \
+    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sha256sum --check && \
     mkdir -p ${CMAKE_DIR} && \
     sh ${CMAKE_SCRIPT} --skip-license --prefix=${CMAKE_DIR} && \
-    rm cmake*
+    rm cmake* ${PUBLIC_KEY_ID}
 ENV PATH=${CMAKE_DIR}/bin:$PATH
 
 WORKDIR /work
diff --git a/docker/nvcc/Dockerfile b/docker/nvcc/Dockerfile
index 59115370..29d444fc 100644
--- a/docker/nvcc/Dockerfile
+++ b/docker/nvcc/Dockerfile
@@ -24,27 +24,26 @@ ENV FFTWDIR "/usr"
 
 RUN git config --global --add safe.directory "*"
 
-RUN KEYDUMP_URL=https://cloud.cees.ornl.gov/download && \
-    KEYDUMP_FILE=keydump && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE} && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE}.sig && \
-    gpg --import ${KEYDUMP_FILE} && \
-    gpg --verify ${KEYDUMP_FILE}.sig ${KEYDUMP_FILE} && \
-    rm ${KEYDUMP_FILE}*
-
+# Install newer CMake manually
 ARG CMAKE_VERSION=3.23.2
+
 ENV CMAKE_DIR=/opt/cmake
 RUN CMAKE_URL=https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION} && \
-    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-Linux-x86_64.sh && \
+    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-linux-x86_64.sh && \
     CMAKE_SHA256=cmake-${CMAKE_VERSION}-SHA-256.txt && \
+    CMAKE_SIGNATURE=cmake-${CMAKE_VERSION}-SHA-256.txt.asc && \
+    PUBLIC_KEY_ID=CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA && \
+    PUBLIC_KEY_URL=https://keys.openpgp.org/vks/v1/by-fingerprint/${PUBLIC_KEY_ID} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SHA256} && \
-    wget --quiet ${CMAKE_URL}/${CMAKE_SHA256}.asc && \
+    wget --quiet ${CMAKE_URL}/${CMAKE_SIGNATURE} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SCRIPT} && \
-    gpg --verify ${CMAKE_SHA256}.asc ${CMAKE_SHA256} && \
-    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sed -e s/linux/Linux/ | sha256sum --check && \
+    wget --quiet ${PUBLIC_KEY_URL} && \
+    gpg --import ${PUBLIC_KEY_ID} && \
+    gpg --verify ${CMAKE_SIGNATURE} ${CMAKE_SHA256} && \
+    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sha256sum --check && \
     mkdir -p ${CMAKE_DIR} && \
     sh ${CMAKE_SCRIPT} --skip-license --prefix=${CMAKE_DIR} && \
-    rm cmake*
+    rm cmake* ${PUBLIC_KEY_ID}
 ENV PATH=${CMAKE_DIR}/bin:$PATH
 
 WORKDIR /work
diff --git a/docker/rocm/Dockerfile b/docker/rocm/Dockerfile
index e3cdc0a6..ce4c5848 100644
--- a/docker/rocm/Dockerfile
+++ b/docker/rocm/Dockerfile
@@ -29,27 +29,26 @@ ENV CMAKE_PREFIX_PATH /opt/rocm/hip/:/opt/rocm/:$CMAKE_PREFIX_PATH
 
 RUN git config --global --add safe.directory "*"
 
-RUN KEYDUMP_URL=https://cloud.cees.ornl.gov/download && \
-    KEYDUMP_FILE=keydump && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE} && \
-    wget --quiet ${KEYDUMP_URL}/${KEYDUMP_FILE}.sig && \
-    gpg --import ${KEYDUMP_FILE} && \
-    gpg --verify ${KEYDUMP_FILE}.sig ${KEYDUMP_FILE} && \
-    rm ${KEYDUMP_FILE}*
-
+# Install newer CMake manually
 ARG CMAKE_VERSION=3.23.2
+
 ENV CMAKE_DIR=/opt/cmake
 RUN CMAKE_URL=https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION} && \
-    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-Linux-x86_64.sh && \
+    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-linux-x86_64.sh && \
     CMAKE_SHA256=cmake-${CMAKE_VERSION}-SHA-256.txt && \
+    CMAKE_SIGNATURE=cmake-${CMAKE_VERSION}-SHA-256.txt.asc && \
+    PUBLIC_KEY_ID=CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA && \
+    PUBLIC_KEY_URL=https://keys.openpgp.org/vks/v1/by-fingerprint/${PUBLIC_KEY_ID} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SHA256} && \
-    wget --quiet ${CMAKE_URL}/${CMAKE_SHA256}.asc && \
+    wget --quiet ${CMAKE_URL}/${CMAKE_SIGNATURE} && \
     wget --quiet ${CMAKE_URL}/${CMAKE_SCRIPT} && \
-    gpg --verify ${CMAKE_SHA256}.asc ${CMAKE_SHA256} && \
-    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sed -e s/linux/Linux/ | sha256sum --check && \
+    wget --quiet ${PUBLIC_KEY_URL} && \
+    gpg --import ${PUBLIC_KEY_ID} && \
+    gpg --verify ${CMAKE_SIGNATURE} ${CMAKE_SHA256} && \
+    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sha256sum --check && \
     mkdir -p ${CMAKE_DIR} && \
     sh ${CMAKE_SCRIPT} --skip-license --prefix=${CMAKE_DIR} && \
-    rm cmake*
+    rm cmake* ${PUBLIC_KEY_ID}
 ENV PATH=${CMAKE_DIR}/bin:$PATH
 
 WORKDIR /work